You can use the Authentication workspace to configure directory services for SaltStack Config using the LDAP protocol. This protocol is used for connecting to services such as Active Directory or Microsoft Azure.
SaltStack Config uses the following back end process to authenticate LDAP-based systems:
- Preview - When you preview your connection settings, SaltStack Config retrieves a sample list of users and groups from your LDAP server so you can verify you have entered the correct configuration parameters.
- Login - When a user enters credentials in the SaltStack Config login form, the backend server checks for a match in the database at that time. It then initiates a multi-step lookup process and, upon finding a match, authenticates the user. Given this lookup process, enabled individual users in enabled groups do not appear in the Roles workspace until the user's first login.
- Background tasks - SaltStack Config runs a background job periodically to look up each linked group and user in the Directory Service connection to ensure it still exists. If the group or user has been removed, the backend server deactivates its link in the database.
- Archived groups and users - Any groups you remove from your Directory Service connection are archived. Even though these groups are inactive and users can’t log in, they’re still visible in the Roles workspace and can be selected. This also applies to any removed users previously visible in the Roles workspace.
- Nested groups - When working with nested groups, by enabling a parent group, you also enable all child groups by default.
Configuring an LDAP connection
To configure LDAP, first create a connection, then enable specific LDAP users and groups to authenticate to SaltStack Config. Once you have enabled groups or users, you can define their Role-Based Access Control (RBAC) settings.
You can choose to prefill the fields with default settings customized to your directory service, such as Active Directory or OpenLDAP.
To set up an LDAP directory service:
- (Optional) Before configuring LDAP, it might be helpful to test your connection and queries using a third-party tool. For AD users, you might use LDP or ADSI Edit. For Linux users, the recommended tool is
ldapsearch
.Note: For more on testing with these tools, see How to verify and troubleshoot a Directory Service connection in the Support Center. - Click Administration > Authentication on the side menu.
- Click Create.
- From the Configuration Type menu, select LDAP.
- (Optional) Under Settings, click Prefill Defaults and select your directory service from the dropdown.
The default entries populate according to your selection. However, certain entries such as User Search DN are incomplete. Make sure to verify that entries match your directory service schema, and to replace placeholder text with the correct values for your service.
- Enter or verify information for your LDAP connection.
Basic
Field Description Name Name of LDAP connection. Since this is a display name only, enter any name would be useful to help differentiate this authentication backend from others. Host LDAP host server address, formatted as either a FQDN or IP address. Port Port where LDAP server is configured. The default is 389
for unencrypted LDAP, and636
for LDAP over SSL.Background Sync SaltStack Config validates all users and group against the authentication backend at a set interval defined (in minutes) here. SSL - Enable SSL
-
Select to connect to the LDAP server over a Secure Sockets Layer (SSL) using the certificate specified in your RaaS server settings. If no configuration is provided, the system certificates store will be used to validate the SSL connection. For more on setting up the RaaS server, see
Set up SSL certificates in the Installing and Configuring
SaltStack Config guide.
Important: As a best practice, select Enable SSL. When this option is left unselected, SaltStack Config transmits information in plain text over an insecure connection.
Authentication
Field Description Auth Base DN Base LDAP Distinguished Name. This is the location groups and users are queried from, for example
DC=sse,DC=example,DC=com
.Note: The LDAP details page includes separate input fields for Person Object Class, Account Attribute Name, Group Class, Group Attribute Name, and Sync Scheduling, as described below. Therefore, do not include these objects in the Base DN field.Admin Bind DN Administrator DN configured for the LDAP server. SaltStack Config uses this to authenticate to the directory for user and group lookups. Enter input based on the following syntax: cn=Administrator,cn=Users,dc=example,dc=com
.Admin Bind DN Password The administrator’s individual password.
This is stored with encryption in the database. It is not stored in plaintext.
Auth Bind DN Filter Filter applied to select a specific user. The result of this search is a user DN that SaltStack Config uses to bind to the directory and grant the user access to SaltStack Config. This is useful for limiting the number of results that are returned from a given search.
Note: Because the filter syntax can become quite complex, a best practice is to test the entry using LDP,ldapsearch
, or a similar tool to validate your entry and make any adjustments before filling out this field.The following sample filter would return only an account matching the provided username belonging to the DevOps or Level II groups.
(&(objectclass=user)(sAMAccountName={username})(|(memberOf=CN=DevOps,OU=Groups,OU=TestCompanyHQ,DC=adtest,DC=com)(memberOf=LevelII,OU=Groups,DC=adtest,DC=com)))
If you are using prefilled defaults, make sure to replace placeholder text with the correct values for your directory service.
Note: When configuring a forest structure, leave this field blank.Remote Unique ID Attribute Name Name of the value used to identify unique entries. This is the unique ID attribute for all entries. In AD this is ObjectGUID
.Groups
Users
Field Description User Search DN The search base for users, for example, cn=Users,dc=example,dc=com
in AD orcn=people,cn=accounts,dc=example,dc=com
in other directory services. Indicates where in the directory to search for users. Use along with User Search Scope below.User Search Scope Indicates directory search depth from the base indicated in User Search DN and can have one of four values. See the four values described in Group Search Scope. User Search DN Filter Search filter for extracting users from the directory. This is typically (objectClass=person)
but in some AD configurations it might be(objectCategory=user)
.Person Class Directory Service class name containing users you want to enable to log in. Most systems (including Active Directory) use person
, but some may preferuser
orinetOrgPerson
.User ID Attribute The unique name of the user account attribute. For AD, this is sAMAccountName
. For other services, it is oftenuid
ormemberUid
.User Membership Attribute The name of the attribute in the group entry that contains the user name. Possible examples include member
oruniquemember
. - To preview your settings without saving, click Update Preview.
The preview window shows users and groups selected for your connection. You can select either the Groups or Users tab to preview users and groups associated with the service as needed.
- Click Save.
Your LDAP configuration has been saved. To verify the configuration is correct, you might want to try logging in to SaltStack Config from a test user account. If you’re not able to successfully log in, see Troubleshooting for tips.
Note: For LDAP configurations, SaltStack Config stores the connection settings, including the groups and users identified. It retrieves only groups and users within the scope you have defined and does not synchronize the entire directory.Over time you might need to refresh or re-sync your LDAP directory. For example, you should update your directory if you added new users and you want to enable them in SaltStack Config.
Enabling groups and users
After setting up your LDAP connection, you then need to configure directory service groups and ensure users can log in to SaltStack Config. To configure directory service groups:
- In the Authentication workspace, select the required LDAP configuration.
- Select the Groups tab to see a list of groups retrieved from your LDAP configuration.
Note: If you’re retrieving a large number of groups, the page might take up to a minute to load.
- Select the groups you want to enable in SaltStack Config.
- Select the Users tab to see a list of users retrieved from your LDAP configuration.
Note: If you’re retrieving a large number of users, the page might take up to a minute to load.
- Select the users you want to enable in SaltStack Config.
Note: Any users included in enabled groups are already selected and can’t be deselected.
- Click Save.
You can now define Role-Based Access Control (RBAC) settings for the selected groups. However, the Roles workspace allows you to manage settings for individual users included in the selected groups only after the user’s first login. To delete groups or users, deselect the group or user and then click Save.
For more on RBAC in SaltStack Config, see How do I define user roles.
Troubleshooting your LDAP Connection
Problem | Description | Solution |
---|---|---|
I’m not able to preview my connection | If you’re not able to preview your groups and users, in many cases this is due to a connection problem between your LDAP server and SaltStack Config, or an invalid entry in the LDAP configuration form. |
|
When trying to preview my connection, the page gets stuck loading | If the page gets stuck loading for over two minutes, restart the RaaS service, then delete and re-create the configuration. |
|
Other miscellaneous issues | If you’ve already configured and saved your LDAP connection but users aren’t able to log in, or if you are encountering any other issues, check the |
To enable extended debugging:
|
Some common errors you might see in the logs are as follows:
- Wrong settings for connection (SSL). Adjust your SSL settings.
[raas.utils.validation.schemas.settings][DEBUG :546 ][Webserver:9096] Error while connecting to AD/LDAP Server. SSL connection issues: socket ssl wrapping error: [Errno 104] Connection reset by peer
- Wrong password for Admin BIND DN. Verify and re-enter your password.
[raas.utils.rpc ][DEBUG :284 ][Webserver:9095] Processed RPC request(129360670417695). Response: {'riq': 129360670417695, 'ret': None, 'error': {'code': 3004, 'message': 'Request validation failure.', 'detail': {'_schema': ['Credentials are not valid']}}, 'warnings': []}
- The prefilled default Auth Bind DN Filter is creating a conflict. Leave the field blank, or use
{username}
instead of{{username}}
.Note:You might encounter this error when you’ve already saved your LDAP connection, but users aren’t able to log in.
[var.tmp._MEIBCyG76.raas.mods.auth.ldap][DEBUG :903 ][Webserver:9096] Running _get_auth_backend_user with this search_filter: (&(objectclass=person)(sAMAccountName={username})) [var.tmp._MEIBCyG76.raas.mods.auth.ldap][DEBUG :931 ][Webserver:9096] Could not find any user using '(&(objectclass=person)(sAMAccountName={username}))' as the search filter in the ldap backend under the ad-1 configuration. Trying remote_uid 'None' [var.tmp._MEIBCyG76.raas.mods.auth.ldap][DEBUG :963 ][Webserver:9096] Could not find any user using '(&(objectClass=person)(objectGUID=None))' as the search filter in the ldap backend under the ad-1 configuration.